mirror of
https://github.com/GAM-team/GAM.git
synced 2026-07-03 12:21:35 +00:00
actions: upgrade actions and always use commit hash for security reasons
This commit is contained in:
33
.github/workflows/build.yml
vendored
33
.github/workflows/build.yml
vendored
@@ -107,21 +107,21 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
|
||||||
with:
|
with:
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
- id: auth
|
- id: auth
|
||||||
name: Authenticate to Google Cloud
|
name: Authenticate to Google Cloud
|
||||||
uses: google-github-actions/auth@v2
|
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # 2.1.12
|
||||||
with:
|
with:
|
||||||
workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
|
workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
|
||||||
service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com
|
service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com
|
||||||
|
|
||||||
- name: Cache multiple paths
|
- name: Cache multiple paths
|
||||||
if: matrix.goal == 'build'
|
if: matrix.goal == 'build'
|
||||||
uses: actions/cache@v4
|
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # 4.2.4
|
||||||
id: cache-python-ssl
|
id: cache-python-ssl
|
||||||
with:
|
with:
|
||||||
path: |
|
path: |
|
||||||
@@ -136,7 +136,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Use pre-compiled Python for testing
|
- name: Use pre-compiled Python for testing
|
||||||
if: matrix.python != ''
|
if: matrix.python != ''
|
||||||
uses: actions/setup-python@v5
|
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
|
||||||
with:
|
with:
|
||||||
python-version: ${{ matrix.python }}
|
python-version: ${{ matrix.python }}
|
||||||
allow-prereleases: true
|
allow-prereleases: true
|
||||||
@@ -222,7 +222,7 @@ jobs:
|
|||||||
p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
|
p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
|
||||||
|
|
||||||
- name: Windows Configure VCode
|
- name: Windows Configure VCode
|
||||||
uses: ilammy/msvc-dev-cmd@v1
|
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # 1.13.0
|
||||||
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
||||||
with:
|
with:
|
||||||
arch: ${{ runner.arch }}
|
arch: ${{ runner.arch }}
|
||||||
@@ -284,7 +284,7 @@ jobs:
|
|||||||
echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
|
echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
|
||||||
|
|
||||||
- name: Windows NASM Install
|
- name: Windows NASM Install
|
||||||
uses: ilammy/setup-nasm@v1
|
uses: ilammy/setup-nasm@72793074d3c8cdda771dba85f6deafe00623038b # 1.5.2
|
||||||
if: matrix.goal == 'build' && runner.os == 'Windows' && runner.arch == 'X64' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
if: matrix.goal == 'build' && runner.os == 'Windows' && runner.arch == 'X64' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
||||||
|
|
||||||
- name: Config OpenSSL
|
- name: Config OpenSSL
|
||||||
@@ -461,13 +461,6 @@ jobs:
|
|||||||
curl -O -L "$latest_crypt_whl"
|
curl -O -L "$latest_crypt_whl"
|
||||||
"$PYTHON" -m pip install cryptography*.whl
|
"$PYTHON" -m pip install cryptography*.whl
|
||||||
|
|
||||||
#- uses: actions-rust-lang/setup-rust-toolchain@v1
|
|
||||||
|
|
||||||
# - name: Compile cryptography from source (no legacy)
|
|
||||||
# if: runner.os != 'Windows' || runner.arch != 'ARM64'
|
|
||||||
# run: |
|
|
||||||
# pip install --no-binary ":all:" --force cryptography
|
|
||||||
|
|
||||||
- name: Install pip requirements
|
- name: Install pip requirements
|
||||||
run: |
|
run: |
|
||||||
echo "before anything..."
|
echo "before anything..."
|
||||||
@@ -637,7 +630,7 @@ jobs:
|
|||||||
#"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$gam"
|
#"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$gam"
|
||||||
|
|
||||||
- name: Attest gam executable was generated from this Action
|
- name: Attest gam executable was generated from this Action
|
||||||
uses: actions/attest-build-provenance@v1
|
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # 2.4.0
|
||||||
if: matrix.goal == 'build'
|
if: matrix.goal == 'build'
|
||||||
with:
|
with:
|
||||||
subject-path: ${{ env.gam }}
|
subject-path: ${{ env.gam }}
|
||||||
@@ -715,7 +708,7 @@ jobs:
|
|||||||
#"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$MSI_FILENAME"
|
#"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$MSI_FILENAME"
|
||||||
|
|
||||||
- name: Attest that gam package files were generated from this Action
|
- name: Attest that gam package files were generated from this Action
|
||||||
uses: actions/attest-build-provenance@v1
|
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # 2.4.0
|
||||||
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal == 'build'
|
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal == 'build'
|
||||||
with:
|
with:
|
||||||
subject-path: |
|
subject-path: |
|
||||||
@@ -724,7 +717,7 @@ jobs:
|
|||||||
gam*.msi
|
gam*.msi
|
||||||
|
|
||||||
- name: Archive production artifacts
|
- name: Archive production artifacts
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2
|
||||||
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal != 'test'
|
if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && matrix.goal != 'test'
|
||||||
with:
|
with:
|
||||||
name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
|
name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
|
||||||
@@ -988,16 +981,16 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # 5.0.0
|
||||||
with:
|
with:
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
- name: Download artifacts
|
- name: Download artifacts
|
||||||
uses: actions/download-artifact@v4
|
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # 5.0.0
|
||||||
|
|
||||||
- name: VirusTotal Scan
|
- name: VirusTotal Scan
|
||||||
uses: crazy-max/ghaction-virustotal@v4
|
uses: crazy-max/ghaction-virustotal@d34968c958ae283fe976efed637081b9f9dcf74f # 4.2.0
|
||||||
with:
|
with:
|
||||||
vt_api_key: ${{ secrets.VT_API_KEY }}
|
vt_api_key: ${{ secrets.VT_API_KEY }}
|
||||||
files: |
|
files: |
|
||||||
@@ -1011,7 +1004,7 @@ jobs:
|
|||||||
echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT
|
echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
- name: Publish draft release
|
- name: Publish draft release
|
||||||
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8
|
uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # 2.3.2
|
||||||
with:
|
with:
|
||||||
draft: true
|
draft: true
|
||||||
prerelease: false
|
prerelease: false
|
||||||
|
|||||||
Reference in New Issue
Block a user